Login

How to Use Wireshark Network Analyzer

Do you need to sniff out and spy on network communications in a LAN, WAN or any network configuration? Or have you found yourself in a difficult situation troubleshooting network-related problems inside and outside of your network? Then you need a network analyzer to examine the packets going into and out of certain media. Wireshark can help. Keep reading to find out how.

One of the most popular open source network analyzers is Wireshark. Since it is open source, you can use it for all purposes as long as you abide by their terms of use, whether for personal, commercial or education-related projects.

This article is for readers who are entirely new to Wireshark and network packet analysis. Because of the broad nature of this tutorial, it is divided into two parts. The first part discusses important network communication concepts, terminology and getting started on Wireshark. The second part will discuss data interpretation, packet analysis and show actual/advanced applications of Wireshark.

What is a Network Analyzer?

A network analyzer is used to analyze ALL of the information that passes into and out of a network interface/LAN card. This reveals the details of communication that pass through these interfaces. This information comes in the form of "packets" (I’ll define this word in the next section). By using Wireshark and analyzing packets, a network administrator can gather the information that passes through the interface.

The screen shot below shows how the information (used by an application at the user’s machine) is being converted into packets, and the protocols governing the communication (showing different layers):

Wireshark grabs packets in the transport/Internet layer. The governing protocols are TCP and IP; together, they are commonly called "TCP/IP" or the "Internet protocol suite." Since this is a packet switch network (a network based on packets communication), the data will be sent to the correct receiving machine based on the information found in the header of the packets. More detailed information about "packets" will be discussed later.

These are very important things to do, especially if you are assigned as a network administrator to examine/protect the information being transmitted away from the infrastructure. For example, if the computers on which you are working handles highly classified information, you can use Wireshark to double check whether those packets send outside the machines are encrypted. This will confirm that the encryption protocol of the machines is working (or warn you that it isn’t).

Another example: if sensitive information, such as passwords, is not encrypted, it can be intercepted in clear text form during the packet analysis using Wireshark. This is both good news and bad news for the machine’s users. The good thing is that, if the administrator regularly monitors and saves the packets, once the password is forgotten, it can be traced in the packet monitoring records. Another good application is to double check sensitive communication to make sure that the information is securely encrypted (i.e. confirming an SSH/Secure shell connection).

The bad news is that if you are working in a company and you are surfing/logging in to your personal websites, finances, etc., the network administrator can spy on your communication if you are not encrypting your packets. It means your account, passwords and identity are compromised.

Of course, they won’t tell you they use Wireshark, but a lot of administrators will do so — especially if your manager has doubts about your use of time and requests administrators to spy on your communication. This is the same problem you encounter if you use public-based Internet stations, such as those in a coffee shop with wireless Internet connections or an Internet café.

Discussing methods for encrypting network communications is beyond the scope of this article. There are, however, two common ways you can effectively encrypt your entire data communication:

When browsing websites, you can use SSH, which is an encrypting protocol.

SSH can also be used with your chat software (Skype, Yahoo messenger).

When logging in websites, and submitting passwords, use HTTPS (secure HTTP). Some reputable sites do this, like Google, Yahoo and MSN.

In this way, packets are encrypted and there is no way to compromise information using Wireshark packet analysis. If you are interested in encryption, particularly OpenSSH protocol, you may be interested in reading these tutorials:

Before we dive deeper into this tutorial, you need to know some very important network-related terms to help you understand how to use Wireshark for network troubleshooting and analysis. There are actually a lot of terms you’ll need to know to get the most out of using Wireshark. The terms below, however, are the most important.

Packets: This is the most basic information representing data (that contains the headers and user information) that is communicated between computers in the modern age. Think of a packet as a block of data. These data are in binary form called "bytes." Digital communication is a communication of binary data (bytes) and in modern communication (such as the Internet), these bytes are grouped into packets.

Think of a packet like a piece of postal mail. The envelope is the "headers" (as it contains the information for where to send the specific packets, and provides a means to authenticate the information, if it is indeed correct). The message inside the envelope is the actual user information to be transmitted or received.

TCP/IP: This stands for Transmission Control Protocol/Internet Protocol. It is a protocol for governing Internet communication. More precisely, these two work together in efficiently transmitting and receiving packets as they travel the digital communication network.

Ethernet: This is a protocol/computer networking technology for local area networks.

Network interface: This is your LAN network card. The function of the network card is to provide a physical (hardware) interface for executing Ethernet communications in a local area network. This is used as a capturing device for Wireshark, where packets are intercepted, displayed and analyzed by the application.

{mospagebreak title=Basic installation of Wireshark}

Now that you know the principles of networking that govern the operation and analysis of Wireshark packets, you are ready to install Wireshark. Follow the steps below:

Step 1. Download Wireshark. Always download the latest stable release. At the time this tutorial was written, the version used was Version 1.2.1.

Step 2. Install Wireshark on your computer. Installation is very easy. Also install the associated third party applications, because you will need them (example: WinPcap).

Step 3. Once installed, you need to be acquainted with the basic features. Launch Wireshark. The first thing you see is the Wireshark Dashboard panel.

The most important part of the Dashboard panel is the "Capture" section. This is where you can select the type of device you need to capture. These are found under the "Interface list." Detailed customization of settings can be found under "Capture options." For selecting and customizing the interface, keep reading.

Selecting and customizing the network interface

In the above screen shot, there are three interfaces shown. However, do note that NOT all interfaces are active. These means not all of those three interfaces are capturing packets in your computer. To double check which interface is the actual active LAN card, you can click the "Interface List" (see screen shot above).

Look at the "Packets" and "Packets/s" column. The active interface should capture packets and you should see one interface that is capturing packets. If everything seems to look blank, try to initiate HTTP traffic by opening your browser and surfing websites; there should be one capturing packets. For example, see below:

In the above screen shot, Realtek RTL8139 Family Fast Ethernet Adapter is the active interface for which you can capture packets.

The lesson here is that you can capture packets via Wireshark from any active network card you are using for LAN. When you browse the web (or perform any network activity), the packets column will show figures indicating the number of packets received and speed of packets passing (i.e. how many per second).

You can even use this information for network card troubleshooting, to see if the LAN interface is receiving packets. In the second part of this tutorial we will look at data interpretation, packet analysis and actual/advanced applications of Wireshark.